back to article Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f...

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty. The tweet also disclosed the Zoom …

  1. J. R. Hartley

    The title is no longer required

    Tories In SNAFU Shocker. Should Corbyn Resign Over This?

    1. The Man Who Fell To Earth Silver badge
      WTF?

      Then there's that little audio transcription issue

      Where the host can record the zoom meeting & have it transcribed. How many humans are listening in order to improve that service?

      1. Anonymous Coward
        Anonymous Coward

        Re: Then there's that little audio transcription issue

        How many humans listening? probably the same amount of people who happily use voice assistants

        Cheers… Ishy

  2. John Smith 19 Gold badge
    Gimp

    For most people Covid 19 is a disaster

    For data fetishists it's the biggest opportunity since 9/11.

    Your data in their hands.

    What can possibly go wrong?

    And it's got the Boris seal of approval.

    So you know it must be good.

    1. Anonymous Coward
      Anonymous Coward

      Re: For most people Covid 19 is a disaster

      For data fetishists it's the biggest opportunity since 9/11.

      I can't think of anything more apposite here. If the muppets in charge want to take away our end-to-end encryption because they want access to all our data to "protect us from terrorists & paedophiles", why the fuck should they be able to use it?

    2. Stuart 22

      Re: For most people Covid 19 is a disaster

      "The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected."

      Why didn't the reporter mention what happened when they tried 1234 ... ?

  3. Anonymous Coward
    Anonymous Coward

    Let's hope someone doesn't hack ...

    ... that Cabinet meeting Zoom video conference Feed.

    1. BebopWeBop
      Pint

      Re: Let's hope someone doesn't hack ...

      Very good - chapeu and more ------->

      Enforced idleness makes much opportunity for idle hands

    2. Anonymous Coward
      Anonymous Coward

      Re: Let's hope someone doesn't hack ...

      I come on ... who could ever believe that a government - even ours - would do something *this* stupid. This report is clearly today's "April Fool" article. Meanwhile, I'm really looking forward to the new Saturn V launch :-)

      1. Anonymous Coward
        Anonymous Coward

        Saturn ...

        ... like Herd Immunity, devours his children.

        1. W.S.Gosset

          Re: Saturn ...

          Or in covid-19's case, his grandparents

    3. Anonymous Coward
      Anonymous Coward

      Re: Let's hope someone doesn't hack ...

      ... that Cabinet meeting Zoom video conference Feed.

      It would be interesting to see which personalised adverts Zoom squirts at them. Presumably some at least would be for for pay-day loans and paternity testing kits...

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's hope someone doesn't hack ...

        @a/c Sorry, you mean Opera when you talk about payday loans

        Cheers… Ishy

        1. Yet Another Anonymous coward Silver badge

          Re: Let's hope someone doesn't hack ...

          You have to feel sorry for the FSB/CIA/MMB agents taking down the transcript

          Comrade, I have hacked the zoom feed but they seem to have some secret code....

          "Wiff-waff, crikey, bit of a sticky wicket as we used to say in big skool. Well my old motto, scribi bolloxi on omnibus"

    4. macjules

      When in doubt ..

      Switch to using WebEx. Unfortunately the WebEx Government ID has already been published online here

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    To be clear ...

    When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point we're lying,

    1. Anonymous Coward
      Meh

      Re: To be clear ...

      "When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point"

      "When I use a word," Humpty Dumpty said, in rather a scornful tone, "it means just what I choose it to mean- neither more nor less." Through the Looking Glass, Ch. 5

      1. doublelayer Silver badge

        Re: To be clear ...

        Ah. So I get to take all Zoom's stuff (obligatory XKCD link). Be right back; I need some new servers. Anyone else want stuff while I'm there?

    2. Warm Braw

      Re: To be clear ...

      If you want a brief overview of the likely reason for their economies of truth - the complexity of group key management - the introduction of this paper might be helpful. Or this RFC for a long read.

      1. Doctor Syntax Silver badge

        Re: To be clear ...

        If the meeting has a specific host then the host could manage the key centrally.

        1. Nitromoors

          Re: To be clear ...

          I think the likelihood of a majority of meeting hosts successfully managing a group key is a small round number - or at least for my wife or user base, all of whom are now zooming along without a licence to drive.

          1. Doctor Syntax Silver badge

            Re: To be clear ...

            It should be part of the S/W. If they advertise end-to-end encryption and mean it the way the rest of us expect it to be meant then they'd need to do that. The user need never be aware of it.

      2. Charlie van Becelaere
        Pint

        Re: To be clear ...

        I have no doubt that I shall be using the phrase "economies of truth" frequently.

        Cheers, and have one on me!

    3. Pascal Monett Silver badge

      Re: To be clear ...

      Right, so when they say "we do not sell your data", what should we infer ?

      Obviously.

      1. Dan 55 Silver badge

        Re: To be clear ...

        We do not sell your data, we only sell your metadata.

        1. batfink

          Re: To be clear ...

          we don't sell it, we just give it away for some other consideration...

          Yes - there are a lot of careful phrases in that "clarification". For example: " we do not use your data...for advertising purposes". OK, you might not use our data for advertising purposes, but you're not guaranteeing that our data doesn't end up with someone else for THEIR advertising (or other) purposes.

          1. Loyal Commenter Silver badge

            Re: To be clear ...

            "we do not use your data...for advertising purposes" - of course not, the advertisers we pass it on to do that, duh!

      2. Yet Another Anonymous coward Silver badge

        Re: To be clear ...

        >"we do not sell your data", what should we infer ?

        They license it, so their customers have to keep paying

    4. Gordon 10
      Stop

      Re: To be clear ...

      To be completely fair to Zoom the standard version of Webex does exactly the same thing. Webex has a dedicated client to client encrypted service with lots of functionality missing - zoom doesnt appear to offer an equivalent.

      The rationale is that screen recording and other "in meeting" functions require interception and decryption of the stream.

      TL;DR - 99% of use cases will be fine on Zoom - fine being defined as "similar functionality to webex"

      So move along nothing to see here other than a convenient headline to bash the victim of today.

      1. Dan 55 Silver badge

        Re: To be clear ...

        Why would screen recording need the stream to be intercepted?

        1. Adam 1

          Re: To be clear ...

          If using it's record to cloud feature (as opposed to record to this PC), the server would need to be given the session key used for the AES streams of that meeting. It is effectively another client for that call.

          The telephone dial in numbers would also need the session key.

          1. Cynic_999

            Re: To be clear ...

            It could be recorded as encrypted data. Several possible ways to arrange for authorized people to be able to decrypt it.

            1. Adam 1

              Re: To be clear ...

              It could be done that way, but I an describing the feature as it currently exists, where I can email you an Uri, you click it and MP4 starts playing in your browser. As I described, the server needs the session key for that functionality.

              I'm not advocating anyone use that feature, but if you do then that is how it would work. But if you disabled phone in and didn't record to cloud then no it should avoid sharing the session key to the server itself or remove that end to end encryption claim.

          2. doublelayer Silver badge

            Re: To be clear ...

            "If using it's record to cloud feature (as opposed to record to this PC), the server would need to be given the session key used for the AES streams of that meeting. It is effectively another client for that call."

            Some solutions:

            1. Record from a local client and upload. No key needed.

            2. Record encrypted data and let it be decrypted by the users.

            3. Fine, so meetings recorded to cloud need end-to-end turned off. But other meetings recorded locally or not recorded at all would use it. So all I have to do to ensure full encryption is not to record to cloud? Thanks for telling me. Oh, wait.

            "The telephone dial in numbers would also need the session key."

            Some solutions:

            1. User approves numbers individually and sends them keys. The server doesn't need to know, only the phone endpoint, and that can erase them.

            2. Provide an option for a secure, user-maintained call-in point. That would be run by the user and therefore can be trusted with keys.

            3. Fine, so meetings including phone call-ins need end-to-end turned off. But other meetings using the software clients only, which is most calls, would use it. So all I have to do to ensure full encryption is not to use a phone to call in? Thanks for telling me. Oh, wait.

            You are missing the point. The major problem isn't the lack of end-to-end encryption. The major problem is not having end-to-end encryption but lying that you do.

            1. Adam 1

              Re: To be clear ...

              I'm not sure why you think I'm disagreeing with you or defending their claim. They should not be claiming end to end encryption. Anyone clever enough to implement encryption correctly knows damn well what that term means and TLS between server and client is not sufficient.

              Point 1 is absolutely correct. It should not share the key with the server if you are not asking for a cloud based MP4 to be available. It does though, hence the controversy.

              Point 2 would work, but that isn't what the feature does. You are trading off convenience of a sharable MP4 link for the complexity of requiring a bespoke player and a way to securely distribute the keys to your recipient. Again power to you if that's how you want to share it.

              I agree 3 would be a reasonable compromise.

              On your dial in suggestions, point 1, faking your dial in number is orders of magnitude easier than compromising the key.

              Point 2 would work of course, but now your company needs an extra 50 phone lines for that once a week call. Similar to point 1, there are some security compromises in proving that the incoming call is the authorised party. It also means that all audio of that call is going through a public phone system, so that's where the weakest chain link is.

              I don't disagree with point 3. If I ask for an end to end encrypted call, I expect any feature that cannot operate under that constraint to disable. It is wrong to create a false impression of security.

        2. Gordon 10

          Re: To be clear ...

          @Dan.

          Since both Webex and Zoom do it I presume there are reasons beyond the ken of an El Reg commentard.

          1. Dan 55 Silver badge

            Re: To be clear ...

            Since WhatsApp, Signal, and Wire don't do it and pre-Microsoft Skype didn't do it I presume it's all about the slurp.

            1. Roland6 Silver badge

              Re: To be clear ...

              >I presume it's all about the slurp.

              No I suspect Zoom does it that way because that was the way they did it in Webex (remember Webex and Zoom are like WhatsApps and Signal).

              I suspect it was done this way so as to keep the client small and have a single stream from the client to the streaming server, thus able to execute on a wide range of systems. Also, architecturally it makes sense - Webex is effectively just an enhanced streaming server - remember webex was designed before today's obsession with communications security. So having the streaming server save a copy of the stream in massive purpose built storage array not only makes technical sense, but also commercial sense as you can make this a chargeable feature...

              Also remember Skype was originally a one-to-one telephone call replacement, not a one-to-1000's conferencing solution.

              1. Dan 55 Silver badge

                Re: To be clear ...

                No I suspect Zoom does it that way because that was the way they did it in Webex (remember Webex and Zoom are like WhatsApps and Signal).

                WhatsApp and Signal are E2E encrypted, WebEx and Zoom are not, so Webex and Zoom are not like WhatsApp and Signal.

                1. Roland6 Silver badge

                  Re: To be clear ...

                  WhatsApp and Signal share the same roots - as do Webex and Zoom. so they are 'like' in the way that they have a common history, so I fully expect weaknesses in Zoom to also be present in Webex. However, like Signal and WhatsApp, I would expect Zoom to do better than Webex.

      2. Cuddles

        Re: To be clear ...

        "Everyone else is doing it" isn't even a good excuse for 6 year olds.

      3. Anonymous Coward
        Anonymous Coward

        Re: To be clear ...

        Found the techbro who works for Zoom.

      4. Henry Wertz 1 Gold badge

        Re: To be clear ...

        "So move along nothing to see here other than a convenient headline to bash the victim of today."

        Umm, what victim? Zoom falsely and fraudulently claim end to end encryption, an important feature for high-security meetings, WHEN THEY DON'T HAVE IT, and furthermore (so it's not just some marketing blurb error...) apparently have an in-app padlock symbol also falsely claiming E2E. The victims are the customers they've lied to that expected them to have this feature they claim to have,

        "The rationale is that screen recording and other "in meeting" functions require interception and decryption of the stream"

        And that rationale is nonsense. Obviously having Zoom record your session precludes E2E; so, you either grey those functions out (and have a switch to turn E2E on and off), or you have the app give a discreet warning saying E2E will be disabled when you use those functions, and people can decide if they want to use them or not.

        1. Eclectic Man Silver badge

          Re: To be clear ...

          JH: Now then, Humphrey, what is this I hear about Zoom not being encrypted end-to-end?

          HA: Now then, Prime Minister, I understand that the phrase 'end-to-end' is open to some interpretation, the interpretation of Zoom was that messages were encrypted at each end of the communication and therefore were encrypted 'end', to 'end' in that multiplexing of communications over the micro-wave network means that although the encryption may not be unbreakable, indeed may have been designed to make decryption readily achievable with error-correcting codes using ...

          JH: Humphrey! Humphrey! speak in English, please. What is going on?

          BW: I think Sir Humphrey was merely pointing out that the encryption applied by Zoom was indeed 'end-to-end', it was not encryption to be relied upon for secrecy.

          HA: Thank you, Bernard.

          JH: You mean that the cabinet meeting I held was not, 'secret'? That anyone could have listened in?

          HA: Not entirely, if you used a password for access to the meeting, someone would have needed technical capability to hack in to the meeting.

          JH: Well, that's a relief, I expect that would be pretty difficult.

          BW: Actually, Prime Minister, my nephew was listening in from his bedroom, he's doing GCSE computing.

          JH: MY GOD! all our secrets revealed. The deepest strategies of my government open to all to see! <sighs>. Did he take notes?

          BW: No, Prime Minister, he fell asleep.

          JH: Bernard, Humphrey, this must not happen again. You must set up something secure for next time.

          HA & BW: Yes, Prime Minister.

    5. herman

      Re: To be clear ...

      It depends on what the meaning of 'is' is.

      1. Rich 11

        Re: To be clear ...

        Can we even be sure that 'is' is 'is'?

      2. krivine
        Headmaster

        Re: To be clear ...

        Once upon a time a mate switched from his philosophy course during the first term. Lectures were all about the meaning of meaning.

    6. PC Paul

      Re: To be clear ...

      "It is fully securely encrypted from your machine to our man-in-the-middle server then again from there to your friends machine. We don't see the problem."

  6. big_D Silver badge

    Bavaria

    The Bavarian government was caught with their WebEx down as well.

    Heise's c't magazine found the links to the Bavarian meeting rooms were all open, predictable (a path + a room number, which was sequential) and none of the meeting rooms were password protected.

    Last week, they managed to sit in on a crisis meeting between the Minister-president of Bavaria, the police and the health ministry. After confirming that it was a private meeting, not meant for the public, they quietly left the meeting and informed the Ministry for IT Security (BIS) straight away. In the meantime, the meeting rooms have been password protected.

    1. Yet Another Anonymous coward Silver badge

      Re: Bavaria

      That's why all political gatherings in Munich should be held face-face, in a beerhall.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bavaria

        Even if putsch comes to shove, I'm sure I can't think of any possible downsides of having political meetings in a beerhall...

        1. Yet Another Anonymous coward Silver badge

          Re: Bavaria

          The advantage - if it was a particularly successful meeting them in the morning nobody can remember who you decided to invade, or where you got the traffic cone

  7. Anonymous Coward
    Anonymous Coward

    We don't sell your data

    We already heard it over and over and we all know you don't sell the data because you can monetize them better by selling just their usage for targeting without disclosing to others what you have and losing the ownership.

    We don't monitor - 'monitor' has a specific meaning, you may not 'monitor' and still 'collect' data - on the other side nobody would object to the monitoring of pure performance data, say latency or packet loss.

    Anyway, they offer also a free service, again, where the money come from?

    1. Version 1.0 Silver badge

      Re: We don't sell your data

      The English language is excellent for statements like this, you can say "We don't sell your data" but then you can do a lot of things with it that fall just outside the statement and have been cleared as OK by the company legal team because they don't meet the definitions of "we", "sell", "your" and "data".

      1. Henry Wertz 1 Gold badge

        Re: We don't sell your data

        "The English language is excellent for statements like this, you can say "We don't sell your data" but then you can do a lot of things with it that fall just outside the statement"

        What the spammers used to do is swear up and down they would not sell your E-Mail address to anyone. And they didn't sell it, they "rented' the E-Mail list to other spammers. Wait, they copied it? Huh.

        That said, I do find this unlikely. I think Zoom got caught with their pants down with a "you have no privacy" privacy policy, they are unlikely to have actually been doing everything this policy allows, it's to "cover your ass" if you want to do those things later. I think even if you want to assume they are evil, they've probably decided those sweet sweet $549 a month on up subscriptions are worth far more than selling off some marketing info but losing privacy-conscious users.

        1. Anonymous Coward
          Anonymous Coward

          Re: We don't sell your data

          "[...] they've probably decided those sweet sweet $549 a month on up subscriptions are worth far more than selling off some marketing info but losing privacy-conscious users."

          No - it is a classic avaricious case of wanting to both have the cake and eating it. They want the cherry on top too.

    2. Error 418

      Re: We don't sell your data

      We don't sell your data. We give it away in exchange for money.

  8. tiggity Silver badge

    Security Services

    Surely they (Security Services) should have been sorting out a more secure solution?

    It might not be as much fun as trawling through everyone's data , but they could make a bit of an effort.

    Even if its the fault of someone at No 10 not liaising with the Security Services, you would have expected a near instant reaction from the Security Services when they saw the screenshots of zoom usage posted every where and they would have been onto No. 10 in a flash to help get them to sort something secure out.

    1. Chris G

      Re: Security Services

      Statement from No10:

      " We take our privacy and security extremely seriously, we only use services and devices the have been recommended by...erm... the chap who cleans the toilets at No10".

      1. BebopWeBop
        Devil

        Re: Security Services

        His name is Borsi - not much English, but we consider that a security plus.

    2. Doctor Syntax Silver badge

      Re: Security Services

      That would involve taking advice from experts. Give them time. They're only just realising they need to do that.

    3. Brewster's Angle Grinder Silver badge

      Re: Security Services

      I'm hoping it's PR and that they played with Zoom so they could say, "See, we're all in it together - we're using Zoom like you plebs" before switching to something more secure.

    4. Anonymous Coward
      Anonymous Coward

      Re: Security Services

      Just FYI, the MoD now allow use of Zoom with some restrictions - and have purchased a large number of licences.

  9. Tom 64
    FAIL

    wait, what?

    GCHQ said it wasn't in their remit? Government Communications Headquarters?!?

    1. Saruman the White Silver badge

      Re: wait, what?

      GCHQ operates in a purely advisory role in this case; it is the Cabinet Office which is actually responsible for providing secure communications links. As I understand it, GCHQ heard that Zoom was going to be used and basically blew a gasket in response, however the Cabinet Office ignored them and went ahead anyway. the rest, unfortunately, is history.

      1. Fading
        Black Helicopters

        Re: wait, what?

        Probably makes it easier for GCHQ to watch the briefings........

        1. BebopWeBop
          Trollface

          Re: wait, what?

          And Fort Meade and Beijing and.....

          But on the positive side, it will allay any suspicions that perfidious Albion might be competent to cause more toruble.....

      2. Roland6 Silver badge

        Re: wait, what?

        "GCHQ operates in a purely advisory role in this case; it is the Cabinet Office which is actually responsible for providing secure communications links."?

        I thought it was the responsibility of the Parliamentary Digital Services to provide technology to enable Minsters and MP's to communicate.

        I suspect the Cabinet Office has no ready to roll secure conferencing solution that could be deployed within 24 hours to a variety of geographically dispersed users and their mobile devices...

    2. Anonymous Coward
      Anonymous Coward

      Re: wait, what?

      After finding out they were using Zoom and not what they had built and supplied, like myself would say "Screw it they can sort it themselves".

    3. Velv
      Big Brother

      Re: wait, what?

      "Government Communications Headquarters"

      Yes, Government, but which Government.

      GCHQ was set up to monitor Communications by everyone else, not provide Communications for the Government.

      1. Yet Another Anonymous coward Silver badge

        Re: leak from home

        In the current lockdown you can't expect them to leave all the secret briefings in a wine bar or the back of a cab can you ?

        1. Anonymous Coward
          Anonymous Coward

          Re: leak from home

          "In the current lockdown you can't expect them to leave all the secret briefings in a wine bar or the back of a cab can you ?"

          ...and they're are not allowed to make visits to their mistress***. Still - the Russian agent is not allowed to visit her either.

          ***Or as was clarified recently - unless they are sharing looking after their offspring.

  10. Fruit and Nutcase Silver badge
    IT Angle

    IT Advice

    "UK Prime Minister Boris Johnson sparked security concerns on Tuesday ..."

    If only he could have gotten on his bike and moseyed over to Shoreditch for some appropriate IT Advice

    1. BebopWeBop

      Re: IT Advice

      She wouldn't let him in.....

    2. IGotOut Silver badge

      Re: IT Advice

      "If only he could have gotten on his bike and moseyed over to Shoreditch for some appropriate IT Advice"

      Who would of advised him on to try an IoT Blockchain secured AI with Alexa enabled fridge magnet.

  11. SW
    FAIL

    What a way to fail...

    Hahaha - using a video conferencing system based in the country that you want to do a "fantastic" trade deal with and there's no guarantee that they're not already listening in.

    1. BebopWeBop

      Re: What a way to fail...

      I would not put it as positively.

  12. Mr Dogshit

    But do they have the necessary hashtags?

  13. jonathan keith

    GDPR?

    The 'percentage of turnover' fine is..? Anybody?

    1. Anonymous Coward
      Anonymous Coward

      Re: The 'percentage of turnover' fine is..? Anybody?

      Exemption applies. But, come on, you never REALLY believed all animals are even remotely equal, didya?

  14. Locky

    They should ditch Zoom

    Houseparty is what all the cool kids are using these days

  15. Bronek Kozicki

    SMB password sniffing

    .... is not a new thing. It's precisely why my home firewall has these rules on outgoing connections:

    target-port="88 135 137 139 389 445 593" protocol="6" action="reject"

    target-port="88 137 138 389" protocol="17" action="reject"

    (and before anyone asks, the rules for incoming connections are: very short whitelist, everything else dropped)

    PS. here is reference list

    1. Sandtitz Silver badge

      Re: SMB password sniffing

      Firewalls should always be configured to deny all egress traffic with exceptions for what's needed.

  16. Anonymous Coward
    Anonymous Coward

    Webex....

    Good enough for all the heads of Europe to use with each other, but not good enough for the cabinet.... It'll be those customisable backgrounds(*)

    Yeah, it needs to be set up correctly to be secure but once it is....

    Zoom appears to be leakier than a Crapita solution.

    (*) First achieved by iChat and Quartz on the Mac: I miss the rollercoaster...

    1. Caver_Dave Silver badge
      Unhappy

      Re: Webex....

      Good enough for European leaders, good enough for National leaders, but not good enough for Parish Councils.

      We were told last week (via our county association) that we could not use any electronics alternatives for meetings!

    2. nematoad
      FAIL

      Re: Webex....

      "Good enough for all the heads of Europe to use with each other, but not good enough for the cabinet."

      Yeah, we don't want to follow the EU in anything. We are an independent country now.

      Why let common sense override dogma? After all we don't need no steenking EU purchased ventilators.See here.

      And if the "Torygraph" is having a pop at a Tory government then things must be bad.

      1. Anonymous Coward
        Anonymous Coward

        Re: Webex....

        "And if the "Torygraph" is having a pop at a Tory government then things must be bad."

        The online DT has become almost readable again - the lunatics no longer seem to be dominating the articles. In the last few years its articles had gone from being a reasonable source of centre-right views to being laughable ******.

    3. steviebuk Silver badge

      Re: Webex....

      Knobhead Cummings probably told them to use Zoom and they wouldn't say no. If anyone looks like a bully he REALLY does.

  17. Anonymous Coward
    Anonymous Coward

    So The Don also conferenced into the cabinet meeting.... nice.

  18. chivo243 Silver badge
    Facepalm

    F A C E P A L M

    This one ranks up there! The knock yourself unconscious kind! As an IT guy I totally get why... It's hard to tell someone above you they are wrong and a) keep your job b) be taken seriously.

    I wonder how many other collaboration apps should be called hoover?

    1. Anonymous Coward
      Anonymous Coward

      Re: F A C E P A L M

      When dealing with children - it is sometimes necessary to stand back while they discover the hard way that your warnings were true.

  19. ibmalone

    Dog fooding

    I suppose we should applaud them, after all they want everyone else to use man-in-the-middle broken encryption, so they're leading by example. Just leave the password off and it'll get us that much closer to properly open government.

    (I read that GCHQ response as: "Of course they shouldn't, but you try telling them.")

    1. Peter X

      Re: Dog fooding

      What's annoying is, there will still be a bunch of them, in a few months time, complaining about Huawei and their risk to British security.

  20. Mike 125

    idiots

    "Currently, it is not possible to enable E2E encryption for Zoom video meetings...."

    It's not just Zoom's lie about E2E encryption. It's the way they encourage 'ease of use'. I am regularly sent this legitimate (numbers changed) invite over open webmail, (by an outfit which believes what Zoom tells them).

    >>>

    Join Zoom Meeting

    https://us04web.zoom.us/j/123456789?pwd=ZXJRchf9h379493JQWQ4Ufjeiweoifnf

    Meeting ID: 123 456 789

    Password: 123456

    <<<

    Zoom are lying f'cking idiots.

  21. Anonymous Coward
    Anonymous Coward

    most senior officials and ministers were using bog-standard Zoom

    and why not. After all, we don't spy on our friends, and our friends don't spy on us, eh? :(

    1. SVV

      Re: most senior officials and ministers were using bog-standard Zoom

      Does it really matter, when all it will reveal is that yes, they really are a bunch of clueless idiots?

      1. mikepren

        Re: most senior officials and ministers were using bog-standard Zoom

        Secretly they are competent, it's just a misdirection to fool the enemy /french

  22. GreggS

    Is the use of Zoom down to his PM in all but name, sorry special advisor Dominic Cummings?

    1. Dan 55 Silver badge

      No, it's nephew who's good with computers, he's done a website in PHP and MySQL and everything.

    2. Cardinal
      Alien

      @GreggS

      You mean Dominic 'Kaa' Cummings? - (a.k.a.'Snake-eyes')

      BlowJo hasn't even a chance of resisting when 'Kaa' turns those hypno-swirl eyes on him before giving him the orders of the day.

  23. Adrian Harvey
    Big Brother

    NZ cabinet used it too

    Was mentioned in a press conference on COVID this week. But they explicitly stated that it had not been security cleared for Restricted material, so there were some items they would not be discussing using that system.

    1. Anonymous Coward
      Anonymous Coward

      Re: NZ cabinet used it too

      To be fair, there's no reason to believe that the UK gov weren't doing the same re restricted materials.

      1. Mike 16

        Re: NZ cabinet used it too

        ---

        weren't doing the same re restricted materials.

        ---

        Well, if they were using the zoom app, rather than the web client (which zoom tries _really_ hard to prevent you finding out about), the persistent surreptitious web-server with access to your mic and camera could be grabbing conversations being held in a room when the occupants _thought_ they were not "on zoom". Perhaps all zoom meeting should be held in a dedicated Cone of Silence.

        Ah: further research

        https://www.theverge.com/2019/7/9/20688113/zoom-apple-mac-patch-vulnerability-emergency-fix-web-server-remove

        says this (_particular_ "bug") only affects Macs, and there is a patch. So if either No 10 is Windows only, or they diligently apply patches, No problem...

    2. Yet Another Anonymous coward Silver badge

      Re: NZ cabinet used it too

      Thank G*D, imagine if the NSA got access to NZ secrets

  24. Jimmy2Cows Silver badge
    Facepalm

    Surprising. Or not.

    Somewhat surprised that one the supposedly most advanced nations on the planet doesn't have something a litte more.. dedicated.. less COTS over the internet, for remote gov conferencing.

    Then again given the shower of shite that passes for intelligent governance these days, and the Army's having to fall back to WhatsApp, so I guess I'm not surprised at all.

    1. Doctor Syntax Silver badge

      Re: Surprising. Or not.

      I'm not sure the cabinet counts as one of the most advanced nations on the planet.

    2. Dan 55 Silver badge

      Re: Surprising. Or not.

      Hasn't it been obvious for over a decade or so that nobody in government or the civil service really gives two shits about privacy?

  25. smudge
    Coat

    Don't we always say...

    ... that we want open and transparent government?

  26. Klimt's Beast Would
    Facepalm

    Considering that meeting...

    ...it was using bellend-to-bellend technology...

  27. Keith Langmead
    Coat

    No one needs End to End encryption!

    Not sure what the issue is here, everyone knows that there's no legitimate need for end to end encryption online. That's what the UK government keeps telling us (along with governments around the world) to justify banning us from using it / back dooring its implementation, so it must be true right?

  28. Long John Silver
    Pirate

    Technical ineptitude of political class and its advisers

    English government, later the UK, began infatuation with secrecy and surveillance during the reign of Elizabeth I and has taken it to a fine art. There are publicly acknowledged agencies such as GCHQ, MI5, MI6, and the military, with perhaps others lurking in shadows, able to draw upon some of the finest minds in present day communication technology and encryption. Yet, what does the Cabinet Office do when obliged to implement A/V conference calls with transmission of highly sensitive material? It draws upon services from an American company of obscure provenance. One it turns out able to permit US government agencies to listen in.

    It would be surprising were there not technologies already in place for secure A/V communication, including possibility of conferencing, among military, security, police, and other agencies charged with protection of UK interests. What means of communication have been arranged for government ministers and regional co-ordinators when dispersed in emergency to second generation post Cold War bunkers and outposts?

    It is almost unbelievable that the Cabinet Office would adopt a conferencing system for deployment by ministers and officials located in the UK, indeed most within short distance of Downing Street, that operates through servers under jurisdiction of another nation.

    Had contingency demanding highly confidential/secret communication at Cabinet level crossed the minds of those responsible for thinking ahead a secure system would already have been to hand.

    In devising such system there need be no call upon private contractors. A small team assembled from agencies containing requisite expertise could have written necessary computer code quickly. No cutting-edge brilliance would be required. It would merely be a matter of putting together existing communications and encryption technologies. Much of the necessary code is sitting within the agencies and anything else might be obtained from open source repositories. The experts' primary task would be testing fitness for purpose of whatever they assembled.

  29. Milton

    Unprecedented stupidity

    People are asking about the role of the security services and assuming that the poor buggers are not, right now, slapping their foreheads and rolling their eyes to the tune of—

    Boss: "You mean Number Ten Downing Street just installed an ordinary public app to conduct a virtual meeting? They didn't pick up the phone to GCHQ, for chrissake, to ask what to do? They didn't think to check with anyone who had the first clue what they were doing? You shirley can't be serious??"

    Shirley: "Well, the PM is a known liar, mediocre student of dead languages, can't keep his flies zipped, doesn't retain or understand even basic details, knows absolutely sweet FA about technology (and everything else, actually) and has a well-earned reputation for laziness and incompetence. And he's surrounded himself by useless yes-men. one of them used to sell fireplaces! We've learned to expect this level of idiocy."

    Boss: "Fucking hell. What secrets has he let slip?"

    Shirley: "None. We stopped telling him the sensitive stuff when he was still making a fool of himself in the Foreign Office."

    Boss: "I don't know whether to laugh or cry."

    Shirley: "Personally, I recommend you begin drinking heavily. And stop calling me Shirley."

    1. Yet Another Anonymous coward Silver badge

      Re: Unprecedented stupidity

      Starting to hope that Trump/Boris are actually just actors distracting attention from the lizard people really running things

      1. Loyal Commenter Silver badge

        Re: Unprecedented stupidity

        Sadly, it's not lizard people, it's cunts like Bannon and Cummings, and global mega-corps like Halliburton. And the oil-producing Arab countries, as long as they can continue to pump money out of the ground.

        edit - oh, and don't forget Vlad and his FSB/GRB cohorts.

        1. Yet Another Anonymous coward Silver badge

          Re: Unprecedented stupidity

          I wish I could believe it was being run by evil Machiavellian geniuses - but I suspect it's just idiots all the way down

          1. Loyal Commenter Silver badge

            Re: Unprecedented stupidity

            I never said they were geniuses, it's just that if you don't give a shit about other people, it gives you a natural competitive edge. That's why, for example, capitalism has to be tempered with regulation, such as that limiting monopolies, to stop the greediest grabbing everything for themselves.

            The thing that the people and entities I listed have in common is that they are motivated purely out of self-interest, with no regard for societal externalities. Stuff that is great for the individual is often not great for the human race as a whole. More people could do with giving humanism a go.

  30. saxicola

    But governments hate E2E encryption so it's OK.

  31. Anonymous Coward
    Anonymous Coward

    Hang on, just hang on

    so I am on a thread full of know all security "experts" that are commenting to a clickbait article on a site full of ad's?

    At least I have the sense to use a "burner" pc. And have the sense not to trust an ad/tracker blocker. After all, as I have read many times on this site, "if it is free you are the product"

    Cheers… Ishy

  32. quartzz

    Number 10 uses government approved protocols.

    unless it doesn't. know they exist.

    and they aren't

    ok then

  33. steviebuk Silver badge

    This is because...

    ...Rick Moranis, sorry I mean Michael Gove "has had enough of experts"

    :)

  34. Anonymous Coward
    Anonymous Coward

    You forgot to mention the spyware they installed on Mac computers for a long time (until they were caught out).

    And that they turn on video by default unless you go in and change it. One time a colleague called in from bed (fully dressed, but still...). You don't expect an app to do this until you explicitly turn it on.

  35. Marcus Fil

    We are all overlooking one important aspect

    Stupidly negligent the use of Zoom may be at such high levels of government we must remember the actual individuals involved. The US or Chinese would get more sense bugging the whooping from London Zoo's monkey house.

    Of course the Russians don't need to bug the Cabinet - they've bought them.

    {Note absence of Joke icon]

    1. Yet Another Anonymous coward Silver badge

      Re: We are all overlooking one important aspect

      >Of course the Russians don't need to bug the Cabinet - they've bought them.

      I hope they kept the receipt

  36. vogon00

    FFS! Typo again

    Normally, I don't bother flagging typos (Regular readers will note I frequently make them - Vino Rosso, don't you know..)....however today has been bad.

    "A link such as \\evil.server.com\foorbar.jpg will, when clicked on, cause Windows to connect to evil.server.com, supplying the logged-in user's credentials in hope of fetching foobar.jpg."

    Errrr...."foorbar.jpg" != "foobar.jpg" so typo needs correcting, or the conclusion needs changing to "in hope of fetching a 404 page."

    1. Anonymous Coward
      Anonymous Coward

      Re: FFS! Typo again

      There's also the reference to "earlier this month", in an article published on April 1st...

  37. rag2

    Boris: You sacked Bob Quick for less!

    Does anyone remember Bob Quick being sacked—described as resigning—in 2009 for keeping Secret papers in a transparent folder, duly photographed by the paparazzi? And who was Mayor of London at the time who sacked him/took the resignation? The very same Boris J., now the UK's prime Minister!

    https://www.theguardian.com/uk/2009/apr/09/bob-quick-terror-raids-leak

    1. Doctor Syntax Silver badge

      Re: Boris: You sacked Bob Quick for less!

      There was quite a back story to that as the Grauniad article explains. It struck me at the time that if he hadn't upset the then opposition he might have survived. If you put yourself out on a limb expect it to be cut off.

  38. streaky

    Stronk Disinformation

    Crucially, the use of the Zoom software is likely to have infuriated the security services

    Because? There was like 40 people that we could see ignoring staffers, families and the like. You think they discussed privileged information? Really? Oh dear.. That's not what cabinet meetings are for.

    while also raising questions about whether the UK government has its own secure video-conferencing facilities

    Nah man they just use Zoom for everything despite the contracts for video conferencing being fairly well publicised.

    We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

    As they should.

    You people can't possibly be this simple? It's clearly a massive diversionary tactic. Pointless one sure, but lets get a grip? They wouldn't talk about anything of note over the public internet, full stop.

  39. Adalat

    What else is there?

    Zoom's policy regarding their ability to use your content is absolutely scary. But I have been looking at video conferencing generally, and not impressed by any of them. Does anybody know of a video conferencing system that would be regarded as secure enough for a virtual board meeting by a listed public company? That is, both physically secure, and not owned by somebody who is likely to monitor users content?

    On another question, doesn't GCHQ have someone full time in No. 10 to keep an eye on what happens there, and how it happens?

    1. Doctor Syntax Silver badge

      Re: What else is there?

      Take a look at what can be built on NextCloud, assuming you have the capacity to host it yourself.

    2. Anonymous Coward
      Anonymous Coward

      Re: What else is there?

      For one-to-one, I'd say Signal. I don't think it can do multi-way video chats, though.

      Potentially of interest, but I have no idea how secure they are, although judging from this kerfuffle, it's probably more realistic to say that open source software, done for the intellectual challenge and gradual polished codeworkery of it, rather than cobbled together to a too-rushed deadline, is hopefully less likely to have horrendous security design oversights and crufty coding shortcuts than any of these supposedly commercial-grade systems seem to, could be Jitsi Meet or Jami?

      (And whatever happened to Firefox Hello (based on WebRTC)?)

  40. Anonymous Coward
    Anonymous Coward

    Cabinet Office

    Interesting thing is that all the rules for computer use / solutions for UK govt. etc. are actually handed down by the Cabinet Office.

    With input from GCHQ and NCSC, but the buck stops with the Cabinet Office.

    BIG set of rules.

    There definitely are secure govt. conferencing solutions but this would probably have been a case of somebody rapping on the door of somebody in No. 10 IT office and saying we need to do this now, what do you mean you'd need to get accounts sorted out, paperwork, sign-offs? No, no, no, this is happening in 30 minutes JFDI or you're out the door.

  41. Anonymous Coward
    Anonymous Coward

    This is why those Fuck whit government IT staff should loose their jobs

    1. Doctor Syntax Silver badge

      Because the government overruled them? It's not unknown for top management anywhere to decide that rules only apply to little people and do their own insecure thing.

  42. olderbutnowiser
    WTF?

    This is one of those articles published on April 1 which you read very carefully and then admire the chutzpah and humour of the journalist. Except that it isn't. Hence Icon.

    If there isn't anyone anywhere in the Civil Service who can find a self-hosted video conferencing tool, running on a server in a govt datacentre, with TLS security between punter and server, then I'm pretty astonished. If there isn't such a system around already, I'm even more astonished. Just try googling open-source video conferencing tools: there's some out there.

    But I can see why they went for Zoom. Setup and use is idiot-proof.

    1. Roland6 Silver badge

      >But I can see why they went for Zoom. Setup and use is idiot-proof.

      Plus, would not be surprised if they were already using it for inter-Conservative MP and Constituency communications, so minimal set up and learning required.

    2. Doctor Syntax Silver badge

      "Setup and use is idiot-proof."

      Idiot proof or idiot friendly?

      1. Yet Another Anonymous coward Silver badge

        It's a hell of an advert for Zoom if even cabinet ministers managed to setup a multi-way video call without the help of experts.

        "Zoom, the software so simple Chris Grayling can use it"

  43. AndyD 8-)&#8377;

    TLS

    So there's nothing wrong with TLS - it's the zoom in middle!

    I'll stick with SSH - key delivered by armoured carrier pigeon.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like